]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 11 Dec 2018 14:15:26 +0000 (15:15 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 11 Dec 2018 14:15:26 +0000 (15:15 +0100)
added patches:
cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch
cifs-fix-separator-when-building-path-from-dentry.patch
crypto-do-not-free-algorithm-before-using.patch
drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch
drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch
drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch
drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch
drm-i915-downgrade-gen9-plane-wm-latency-error.patch
drm-lease-send-a-distinct-uevent.patch
drm-msm-move-fence-put-to-where-failure-occurs.patch
gnss-sirf-fix-activation-retry-handling.patch
kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch
libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch
mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
mac80211-fix-gfp_kernel-under-tasklet-context.patch
mac80211-fix-reordering-of-buffered-broadcast-packets.patch
mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch
staging-rtl8712-fix-possible-buffer-overrun.patch
tty-do-not-set-tty_io_error-flag-if-console-port.patch
tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch

26 files changed:
queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch [new file with mode: 0644]
queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch [new file with mode: 0644]
queue-4.19/crypto-do-not-free-algorithm-before-using.patch [new file with mode: 0644]
queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch [new file with mode: 0644]
queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch [new file with mode: 0644]
queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch [new file with mode: 0644]
queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch [new file with mode: 0644]
queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch [new file with mode: 0644]
queue-4.19/drm-lease-send-a-distinct-uevent.patch [new file with mode: 0644]
queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch [new file with mode: 0644]
queue-4.19/gnss-sirf-fix-activation-retry-handling.patch [new file with mode: 0644]
queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch [new file with mode: 0644]
queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch [new file with mode: 0644]
queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch [new file with mode: 0644]
queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch [new file with mode: 0644]
queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch [new file with mode: 0644]
queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch [new file with mode: 0644]
queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch [new file with mode: 0644]
queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch [new file with mode: 0644]
queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch [new file with mode: 0644]
queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch [new file with mode: 0644]
queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch [new file with mode: 0644]
queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch [new file with mode: 0644]
queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch [new file with mode: 0644]

diff --git a/queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch b/queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch
new file mode 100644 (file)
index 0000000..99c0a6e
--- /dev/null
@@ -0,0 +1,47 @@
+From 312ca38ddda64bac6513ec68e0ac3789b4eb44dc Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Dec 2018 12:55:54 +0200
+Subject: cfg80211: Fix busy loop regression in ieee80211_ie_split_ric()
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 312ca38ddda64bac6513ec68e0ac3789b4eb44dc upstream.
+
+This function was modified to support the information element extension
+case (WLAN_EID_EXTENSION) in a manner that would result in an infinite
+loop when going through set of IEs that include WLAN_EID_RIC_DATA and
+contain an IE that is in the after_ric array. The only place where this
+can currently happen is in mac80211 ieee80211_send_assoc() where
+ieee80211_ie_split_ric() is called with after_ric[].
+
+This can be triggered by valid data from user space nl80211
+association/connect request (i.e., requiring GENL_UNS_ADMIN_PERM). The
+only known application having an option to include WLAN_EID_RIC_DATA in
+these requests is wpa_supplicant and it had a bug that prevented this
+specific contents from being used (and because of that, not triggering
+this kernel bug in an automated test case ap_ft_ric) and now that this
+bug is fixed, it has a workaround to avoid this kernel issue.
+WLAN_EID_RIC_DATA is currently used only for testing purposes, so this
+does not cause significant harm for production use cases.
+
+Fixes: 2512b1b18d07 ("mac80211: extend ieee80211_ie_split to support EXTENSION")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1418,6 +1418,8 @@ size_t ieee80211_ie_split_ric(const u8 *
+                                                         ies[pos + ext],
+                                                         ext == 2))
+                                       pos = skip_ie(ies, ielen, pos);
++                              else
++                                      break;
+                       }
+               } else {
+                       pos = skip_ie(ies, ielen, pos);
diff --git a/queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch b/queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch
new file mode 100644 (file)
index 0000000..2791a53
--- /dev/null
@@ -0,0 +1,34 @@
+From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <palcantara@suse.com>
+Date: Thu, 15 Nov 2018 15:20:52 +0100
+Subject: cifs: Fix separator when building path from dentry
+
+From: Paulo Alcantara <palcantara@suse.com>
+
+commit c988de29ca161823db6a7125e803d597ef75b49c upstream.
+
+Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
+prefixpath too. Fixes a bug with smb1 UNIX extensions.
+
+Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
+Signed-off-by: Paulo Alcantara <palcantara@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -174,7 +174,7 @@ cifs_bp_rename_retry:
+               cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+               memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+-              full_path[dfsplen] = '\\';
++              full_path[dfsplen] = dirsep;
+               for (i = 0; i < pplen-1; i++)
+                       if (full_path[dfsplen+1+i] == '/')
+                               full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
diff --git a/queue-4.19/crypto-do-not-free-algorithm-before-using.patch b/queue-4.19/crypto-do-not-free-algorithm-before-using.patch
new file mode 100644 (file)
index 0000000..3b145b3
--- /dev/null
@@ -0,0 +1,115 @@
+From e5bde04ccce64d808f8b00a489a1fe5825d285cb Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 22 Nov 2018 18:00:16 +0800
+Subject: crypto: do not free algorithm before using
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit e5bde04ccce64d808f8b00a489a1fe5825d285cb upstream.
+
+In multiple functions, the algorithm fields are read after its reference
+is dropped through crypto_mod_put. In this case, the algorithm memory
+may be freed, resulting in use-after-free bugs. This patch delays the
+put operation until the algorithm is never used.
+
+Fixes: 79c65d179a40 ("crypto: cbc - Convert to skcipher")
+Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode")
+Fixes: 043a44001b9e ("crypto: pcbc - Convert to skcipher")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cbc.c  |    6 ++++--
+ crypto/cfb.c  |    6 ++++--
+ crypto/pcbc.c |    6 ++++--
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/crypto/cbc.c
++++ b/crypto/cbc.c
+@@ -140,9 +140,8 @@ static int crypto_cbc_create(struct cryp
+       spawn = skcipher_instance_ctx(inst);
+       err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+                               CRYPTO_ALG_TYPE_MASK);
+-      crypto_mod_put(alg);
+       if (err)
+-              goto err_free_inst;
++              goto err_put_alg;
+       err = crypto_inst_setname(skcipher_crypto_instance(inst), "cbc", alg);
+       if (err)
+@@ -174,12 +173,15 @@ static int crypto_cbc_create(struct cryp
+       err = skcipher_register_instance(tmpl, inst);
+       if (err)
+               goto err_drop_spawn;
++      crypto_mod_put(alg);
+ out:
+       return err;
+ err_drop_spawn:
+       crypto_drop_spawn(spawn);
++err_put_alg:
++      crypto_mod_put(alg);
+ err_free_inst:
+       kfree(inst);
+       goto out;
+--- a/crypto/cfb.c
++++ b/crypto/cfb.c
+@@ -286,9 +286,8 @@ static int crypto_cfb_create(struct cryp
+       spawn = skcipher_instance_ctx(inst);
+       err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+                               CRYPTO_ALG_TYPE_MASK);
+-      crypto_mod_put(alg);
+       if (err)
+-              goto err_free_inst;
++              goto err_put_alg;
+       err = crypto_inst_setname(skcipher_crypto_instance(inst), "cfb", alg);
+       if (err)
+@@ -317,12 +316,15 @@ static int crypto_cfb_create(struct cryp
+       err = skcipher_register_instance(tmpl, inst);
+       if (err)
+               goto err_drop_spawn;
++      crypto_mod_put(alg);
+ out:
+       return err;
+ err_drop_spawn:
+       crypto_drop_spawn(spawn);
++err_put_alg:
++      crypto_mod_put(alg);
+ err_free_inst:
+       kfree(inst);
+       goto out;
+--- a/crypto/pcbc.c
++++ b/crypto/pcbc.c
+@@ -244,9 +244,8 @@ static int crypto_pcbc_create(struct cry
+       spawn = skcipher_instance_ctx(inst);
+       err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+                               CRYPTO_ALG_TYPE_MASK);
+-      crypto_mod_put(alg);
+       if (err)
+-              goto err_free_inst;
++              goto err_put_alg;
+       err = crypto_inst_setname(skcipher_crypto_instance(inst), "pcbc", alg);
+       if (err)
+@@ -275,12 +274,15 @@ static int crypto_pcbc_create(struct cry
+       err = skcipher_register_instance(tmpl, inst);
+       if (err)
+               goto err_drop_spawn;
++      crypto_mod_put(alg);
+ out:
+       return err;
+ err_drop_spawn:
+       crypto_drop_spawn(spawn);
++err_put_alg:
++      crypto_mod_put(alg);
+ err_free_inst:
+       kfree(inst);
+       goto out;
diff --git a/queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch b/queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch
new file mode 100644 (file)
index 0000000..303215b
--- /dev/null
@@ -0,0 +1,390 @@
+From 37c2578c0c40e286bc0d30bdc05290b2058cf66e Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 3 Dec 2018 00:54:35 +0000
+Subject: Drivers: hv: vmbus: Offload the handling of channels to two workqueues
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 37c2578c0c40e286bc0d30bdc05290b2058cf66e upstream.
+
+vmbus_process_offer() mustn't call channel->sc_creation_callback()
+directly for sub-channels, because sc_creation_callback() ->
+vmbus_open() may never get the host's response to the
+OPEN_CHANNEL message (the host may rescind a channel at any time,
+e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
+may not wake up the vmbus_open() as it's blocked due to a non-zero
+vmbus_connection.offer_in_progress, and finally we have a deadlock.
+
+The above is also true for primary channels, if the related device
+drivers use sync probing mode by default.
+
+And, usually the handling of primary channels and sub-channels can
+depend on each other, so we should offload them to different
+workqueues to avoid possible deadlock, e.g. in sync-probing mode,
+NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
+rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
+and waits for all the sub-channels to appear, but the latter
+can't get the rtnl_lock and this blocks the handling of sub-channels.
+
+The patch can fix the multiple-NIC deadlock described above for
+v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
+of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
+but don't enable async-probing for Hyper-V drivers (yet).
+
+The patch can also fix the hang issue in sub-channel's handling described
+above for all versions of kernels, including v4.19 and v4.20-rc4.
+
+So actually the patch should be applied to all the existing kernels,
+not only the kernels that have 8195b1396ec8.
+
+Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug")
+Cc: stable@vger.kernel.org
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c |  189 ++++++++++++++++++++++++++++++----------------
+ drivers/hv/connection.c   |   24 +++++
+ drivers/hv/hyperv_vmbus.h |    7 +
+ include/linux/hyperv.h    |    7 +
+ 4 files changed, 161 insertions(+), 66 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -447,61 +447,16 @@ void vmbus_free_channels(void)
+       }
+ }
+-/*
+- * vmbus_process_offer - Process the offer by creating a channel/device
+- * associated with this offer
+- */
+-static void vmbus_process_offer(struct vmbus_channel *newchannel)
++/* Note: the function can run concurrently for primary/sub channels. */
++static void vmbus_add_channel_work(struct work_struct *work)
+ {
+-      struct vmbus_channel *channel;
+-      bool fnew = true;
++      struct vmbus_channel *newchannel =
++              container_of(work, struct vmbus_channel, add_channel_work);
++      struct vmbus_channel *primary_channel = newchannel->primary_channel;
+       unsigned long flags;
+       u16 dev_type;
+       int ret;
+-      /* Make sure this is a new offer */
+-      mutex_lock(&vmbus_connection.channel_mutex);
+-
+-      /*
+-       * Now that we have acquired the channel_mutex,
+-       * we can release the potentially racing rescind thread.
+-       */
+-      atomic_dec(&vmbus_connection.offer_in_progress);
+-
+-      list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
+-              if (!uuid_le_cmp(channel->offermsg.offer.if_type,
+-                      newchannel->offermsg.offer.if_type) &&
+-                      !uuid_le_cmp(channel->offermsg.offer.if_instance,
+-                              newchannel->offermsg.offer.if_instance)) {
+-                      fnew = false;
+-                      break;
+-              }
+-      }
+-
+-      if (fnew)
+-              list_add_tail(&newchannel->listentry,
+-                            &vmbus_connection.chn_list);
+-
+-      mutex_unlock(&vmbus_connection.channel_mutex);
+-
+-      if (!fnew) {
+-              /*
+-               * Check to see if this is a sub-channel.
+-               */
+-              if (newchannel->offermsg.offer.sub_channel_index != 0) {
+-                      /*
+-                       * Process the sub-channel.
+-                       */
+-                      newchannel->primary_channel = channel;
+-                      spin_lock_irqsave(&channel->lock, flags);
+-                      list_add_tail(&newchannel->sc_list, &channel->sc_list);
+-                      channel->num_sc++;
+-                      spin_unlock_irqrestore(&channel->lock, flags);
+-              } else {
+-                      goto err_free_chan;
+-              }
+-      }
+-
+       dev_type = hv_get_dev_type(newchannel);
+       init_vp_index(newchannel, dev_type);
+@@ -519,27 +474,26 @@ static void vmbus_process_offer(struct v
+       /*
+        * This state is used to indicate a successful open
+        * so that when we do close the channel normally, we
+-       * can cleanup properly
++       * can cleanup properly.
+        */
+       newchannel->state = CHANNEL_OPEN_STATE;
+-      if (!fnew) {
+-              struct hv_device *dev
+-                      = newchannel->primary_channel->device_obj;
++      if (primary_channel != NULL) {
++              /* newchannel is a sub-channel. */
++              struct hv_device *dev = primary_channel->device_obj;
+               if (vmbus_add_channel_kobj(dev, newchannel))
+-                      goto err_free_chan;
++                      goto err_deq_chan;
++
++              if (primary_channel->sc_creation_callback != NULL)
++                      primary_channel->sc_creation_callback(newchannel);
+-              if (channel->sc_creation_callback != NULL)
+-                      channel->sc_creation_callback(newchannel);
+               newchannel->probe_done = true;
+               return;
+       }
+       /*
+-       * Start the process of binding this offer to the driver
+-       * We need to set the DeviceObject field before calling
+-       * vmbus_child_dev_add()
++       * Start the process of binding the primary channel to the driver
+        */
+       newchannel->device_obj = vmbus_device_create(
+               &newchannel->offermsg.offer.if_type,
+@@ -568,13 +522,28 @@ static void vmbus_process_offer(struct v
+ err_deq_chan:
+       mutex_lock(&vmbus_connection.channel_mutex);
+-      list_del(&newchannel->listentry);
++
++      /*
++       * We need to set the flag, otherwise
++       * vmbus_onoffer_rescind() can be blocked.
++       */
++      newchannel->probe_done = true;
++
++      if (primary_channel == NULL) {
++              list_del(&newchannel->listentry);
++      } else {
++              spin_lock_irqsave(&primary_channel->lock, flags);
++              list_del(&newchannel->sc_list);
++              spin_unlock_irqrestore(&primary_channel->lock, flags);
++      }
++
+       mutex_unlock(&vmbus_connection.channel_mutex);
+       if (newchannel->target_cpu != get_cpu()) {
+               put_cpu();
+               smp_call_function_single(newchannel->target_cpu,
+-                                       percpu_channel_deq, newchannel, true);
++                                       percpu_channel_deq,
++                                       newchannel, true);
+       } else {
+               percpu_channel_deq(newchannel);
+               put_cpu();
+@@ -582,14 +551,104 @@ err_deq_chan:
+       vmbus_release_relid(newchannel->offermsg.child_relid);
+-err_free_chan:
+       free_channel(newchannel);
+ }
+ /*
++ * vmbus_process_offer - Process the offer by creating a channel/device
++ * associated with this offer
++ */
++static void vmbus_process_offer(struct vmbus_channel *newchannel)
++{
++      struct vmbus_channel *channel;
++      struct workqueue_struct *wq;
++      unsigned long flags;
++      bool fnew = true;
++
++      mutex_lock(&vmbus_connection.channel_mutex);
++
++      /*
++       * Now that we have acquired the channel_mutex,
++       * we can release the potentially racing rescind thread.
++       */
++      atomic_dec(&vmbus_connection.offer_in_progress);
++
++      list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
++              if (!uuid_le_cmp(channel->offermsg.offer.if_type,
++                               newchannel->offermsg.offer.if_type) &&
++                  !uuid_le_cmp(channel->offermsg.offer.if_instance,
++                               newchannel->offermsg.offer.if_instance)) {
++                      fnew = false;
++                      break;
++              }
++      }
++
++      if (fnew)
++              list_add_tail(&newchannel->listentry,
++                            &vmbus_connection.chn_list);
++      else {
++              /*
++               * Check to see if this is a valid sub-channel.
++               */
++              if (newchannel->offermsg.offer.sub_channel_index == 0) {
++                      mutex_unlock(&vmbus_connection.channel_mutex);
++                      /*
++                       * Don't call free_channel(), because newchannel->kobj
++                       * is not initialized yet.
++                       */
++                      kfree(newchannel);
++                      WARN_ON_ONCE(1);
++                      return;
++              }
++              /*
++               * Process the sub-channel.
++               */
++              newchannel->primary_channel = channel;
++              spin_lock_irqsave(&channel->lock, flags);
++              list_add_tail(&newchannel->sc_list, &channel->sc_list);
++              spin_unlock_irqrestore(&channel->lock, flags);
++      }
++
++      mutex_unlock(&vmbus_connection.channel_mutex);
++
++      /*
++       * vmbus_process_offer() mustn't call channel->sc_creation_callback()
++       * directly for sub-channels, because sc_creation_callback() ->
++       * vmbus_open() may never get the host's response to the
++       * OPEN_CHANNEL message (the host may rescind a channel at any time,
++       * e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
++       * may not wake up the vmbus_open() as it's blocked due to a non-zero
++       * vmbus_connection.offer_in_progress, and finally we have a deadlock.
++       *
++       * The above is also true for primary channels, if the related device
++       * drivers use sync probing mode by default.
++       *
++       * And, usually the handling of primary channels and sub-channels can
++       * depend on each other, so we should offload them to different
++       * workqueues to avoid possible deadlock, e.g. in sync-probing mode,
++       * NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
++       * rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
++       * and waits for all the sub-channels to appear, but the latter
++       * can't get the rtnl_lock and this blocks the handling of
++       * sub-channels.
++       */
++      INIT_WORK(&newchannel->add_channel_work, vmbus_add_channel_work);
++      wq = fnew ? vmbus_connection.handle_primary_chan_wq :
++                  vmbus_connection.handle_sub_chan_wq;
++      queue_work(wq, &newchannel->add_channel_work);
++}
++
++/*
+  * We use this state to statically distribute the channel interrupt load.
+  */
+ static int next_numa_node_id;
++/*
++ * init_vp_index() accesses global variables like next_numa_node_id, and
++ * it can run concurrently for primary channels and sub-channels: see
++ * vmbus_process_offer(), so we need the lock to protect the global
++ * variables.
++ */
++static DEFINE_SPINLOCK(bind_channel_to_cpu_lock);
+ /*
+  * Starting with Win8, we can statically distribute the incoming
+@@ -625,6 +684,8 @@ static void init_vp_index(struct vmbus_c
+               return;
+       }
++      spin_lock(&bind_channel_to_cpu_lock);
++
+       /*
+        * Based on the channel affinity policy, we will assign the NUMA
+        * nodes.
+@@ -707,6 +768,8 @@ static void init_vp_index(struct vmbus_c
+       channel->target_cpu = cur_cpu;
+       channel->target_vp = hv_cpu_number_to_vp_number(cur_cpu);
++      spin_unlock(&bind_channel_to_cpu_lock);
++
+       free_cpumask_var(available_mask);
+ }
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -190,6 +190,20 @@ int vmbus_connect(void)
+               goto cleanup;
+       }
++      vmbus_connection.handle_primary_chan_wq =
++              create_workqueue("hv_pri_chan");
++      if (!vmbus_connection.handle_primary_chan_wq) {
++              ret = -ENOMEM;
++              goto cleanup;
++      }
++
++      vmbus_connection.handle_sub_chan_wq =
++              create_workqueue("hv_sub_chan");
++      if (!vmbus_connection.handle_sub_chan_wq) {
++              ret = -ENOMEM;
++              goto cleanup;
++      }
++
+       INIT_LIST_HEAD(&vmbus_connection.chn_msg_list);
+       spin_lock_init(&vmbus_connection.channelmsg_lock);
+@@ -280,10 +294,14 @@ void vmbus_disconnect(void)
+        */
+       vmbus_initiate_unload(false);
+-      if (vmbus_connection.work_queue) {
+-              drain_workqueue(vmbus_connection.work_queue);
++      if (vmbus_connection.handle_sub_chan_wq)
++              destroy_workqueue(vmbus_connection.handle_sub_chan_wq);
++
++      if (vmbus_connection.handle_primary_chan_wq)
++              destroy_workqueue(vmbus_connection.handle_primary_chan_wq);
++
++      if (vmbus_connection.work_queue)
+               destroy_workqueue(vmbus_connection.work_queue);
+-      }
+       if (vmbus_connection.int_page) {
+               free_pages((unsigned long)vmbus_connection.int_page, 0);
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -335,7 +335,14 @@ struct vmbus_connection {
+       struct list_head chn_list;
+       struct mutex channel_mutex;
++      /*
++       * An offer message is handled first on the work_queue, and then
++       * is further handled on handle_primary_chan_wq or
++       * handle_sub_chan_wq.
++       */
+       struct workqueue_struct *work_queue;
++      struct workqueue_struct *handle_primary_chan_wq;
++      struct workqueue_struct *handle_sub_chan_wq;
+ };
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -904,6 +904,13 @@ struct vmbus_channel {
+       bool probe_done;
++      /*
++       * We must offload the handling of the primary/sub channels
++       * from the single-threaded vmbus_connection.work_queue to
++       * two different workqueue, otherwise we can block
++       * vmbus_connection.work_queue and hang: see vmbus_process_offer().
++       */
++      struct work_struct add_channel_work;
+ };
+ static inline bool is_hvsock_channel(const struct vmbus_channel *c)
diff --git a/queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch b/queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch
new file mode 100644 (file)
index 0000000..78617d2
--- /dev/null
@@ -0,0 +1,51 @@
+From b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 28 Nov 2018 23:28:17 -0500
+Subject: drm/amdgpu/gmc8: always load MC firmware in the driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 upstream.
+
+Some power features rely on the driver loaded version so always
+load the MC firmware from the driver even if the vbios loaded
+a version already.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c |    9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -365,7 +365,7 @@ static int gmc_v8_0_polaris_mc_load_micr
+       const struct mc_firmware_header_v1_0 *hdr;
+       const __le32 *fw_data = NULL;
+       const __le32 *io_mc_regs = NULL;
+-      u32 data, vbios_version;
++      u32 data;
+       int i, ucode_size, regs_size;
+       /* Skip MC ucode loading on SR-IOV capable boards.
+@@ -376,13 +376,6 @@ static int gmc_v8_0_polaris_mc_load_micr
+       if (amdgpu_sriov_bios(adev))
+               return 0;
+-      WREG32(mmMC_SEQ_IO_DEBUG_INDEX, 0x9F);
+-      data = RREG32(mmMC_SEQ_IO_DEBUG_DATA);
+-      vbios_version = data & 0xf;
+-
+-      if (vbios_version == 0)
+-              return 0;
+-
+       if (!adev->gmc.fw)
+               return -EINVAL;
diff --git a/queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch b/queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch
new file mode 100644 (file)
index 0000000..9a3b2ea
--- /dev/null
@@ -0,0 +1,80 @@
+From a81a7c9c9ea3042ab02d66ac35def74abf091c15 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 28 Nov 2018 23:25:41 -0500
+Subject: drm/amdgpu/gmc8: update MC firmware for polaris
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a81a7c9c9ea3042ab02d66ac35def74abf091c15 upstream.
+
+Some variants require different MC firmware images.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c |   29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -55,6 +55,8 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris11_k_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris10_k_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+ static const u32 golden_settings_tonga_a11[] =
+@@ -224,22 +226,39 @@ static int gmc_v8_0_init_microcode(struc
+               chip_name = "tonga";
+               break;
+       case CHIP_POLARIS11:
+-              chip_name = "polaris11";
++              if (((adev->pdev->device == 0x67ef) &&
++                   ((adev->pdev->revision == 0xe0) ||
++                    (adev->pdev->revision == 0xe5))) ||
++                  ((adev->pdev->device == 0x67ff) &&
++                   ((adev->pdev->revision == 0xcf) ||
++                    (adev->pdev->revision == 0xef) ||
++                    (adev->pdev->revision == 0xff))))
++                      chip_name = "polaris11_k";
++              else if ((adev->pdev->device == 0x67ef) &&
++                       (adev->pdev->revision == 0xe2))
++                      chip_name = "polaris11_k";
++              else
++                      chip_name = "polaris11";
+               break;
+       case CHIP_POLARIS10:
+-              chip_name = "polaris10";
++              if ((adev->pdev->device == 0x67df) &&
++                  ((adev->pdev->revision == 0xe1) ||
++                   (adev->pdev->revision == 0xf7)))
++                      chip_name = "polaris10_k";
++              else
++                      chip_name = "polaris10";
+               break;
+       case CHIP_POLARIS12:
+-              chip_name = "polaris12";
+               if (((adev->pdev->device == 0x6987) &&
+                    ((adev->pdev->revision == 0xc0) ||
+                     (adev->pdev->revision == 0xc3))) ||
+                   ((adev->pdev->device == 0x6981) &&
+                    ((adev->pdev->revision == 0x00) ||
+                     (adev->pdev->revision == 0x01) ||
+-                    (adev->pdev->revision == 0x10)))) {
++                    (adev->pdev->revision == 0x10))))
+                       chip_name = "polaris12_k";
+-              }
++              else
++                      chip_name = "polaris12";
+               break;
+       case CHIP_FIJI:
+       case CHIP_CARRIZO:
diff --git a/queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch b/queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch
new file mode 100644 (file)
index 0000000..9a48ef9
--- /dev/null
@@ -0,0 +1,47 @@
+From d7fd67653f847327e545bdb198b901ee124afd7c Mon Sep 17 00:00:00 2001
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+Date: Thu, 22 Nov 2018 17:53:00 +0800
+Subject: drm/amdgpu: update mc firmware image for polaris12 variants
+
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+
+commit d7fd67653f847327e545bdb198b901ee124afd7c upstream.
+
+Some new variants require updated firmware.
+
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -55,6 +55,7 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+ static const u32 golden_settings_tonga_a11[] =
+ {
+@@ -230,6 +231,15 @@ static int gmc_v8_0_init_microcode(struc
+               break;
+       case CHIP_POLARIS12:
+               chip_name = "polaris12";
++              if (((adev->pdev->device == 0x6987) &&
++                   ((adev->pdev->revision == 0xc0) ||
++                    (adev->pdev->revision == 0xc3))) ||
++                  ((adev->pdev->device == 0x6981) &&
++                   ((adev->pdev->revision == 0x00) ||
++                    (adev->pdev->revision == 0x01) ||
++                    (adev->pdev->revision == 0x10)))) {
++                      chip_name = "polaris12_k";
++              }
+               break;
+       case CHIP_FIJI:
+       case CHIP_CARRIZO:
diff --git a/queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch b/queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch
new file mode 100644 (file)
index 0000000..c40f12e
--- /dev/null
@@ -0,0 +1,37 @@
+From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Jul 2018 17:15:27 +0100
+Subject: drm/i915: Downgrade Gen9 Plane WM latency error
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 86c1c87d0e6241cbe35bd52badfc84b154e1b959 upstream.
+
+According to intel_read_wm_latency() it is perfectly legal for one WM
+and all subsequent levels to be 0 (and the deeper powersaving states
+disabled), so don't shout *ERROR*, over and over again.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2951,8 +2951,8 @@ static void intel_print_wm_latency(struc
+               unsigned int latency = wm[level];
+               if (latency == 0) {
+-                      DRM_ERROR("%s WM%d latency not provided\n",
+-                                name, level);
++                      DRM_DEBUG_KMS("%s WM%d latency not provided\n",
++                                    name, level);
+                       continue;
+               }
diff --git a/queue-4.19/drm-lease-send-a-distinct-uevent.patch b/queue-4.19/drm-lease-send-a-distinct-uevent.patch
new file mode 100644 (file)
index 0000000..3800153
--- /dev/null
@@ -0,0 +1,83 @@
+From ce85882860f0e756f7066cbda1c43e8b50b73ab6 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu, 29 Nov 2018 10:42:26 +0100
+Subject: drm/lease: Send a distinct uevent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit ce85882860f0e756f7066cbda1c43e8b50b73ab6 upstream.
+
+Sending the exact same hotplug event is not great uapi. Luckily the
+only already merged implementation of leases (in the -modesetting
+driver) doesn't care about what kind of uevent it gets, and
+unconditionally processes both hotplug and lease changes. So we can
+still adjust the uapi here.
+
+But e.g. weston tries to filter stuff, and I guess others might want
+to do that too. Try to make that possible. Cc: stable since it's uapi
+adjustement that we want to roll out everywhere.
+
+Michel Dänzer mentioned on irc that -amdgpu also has lease support. It
+has the same code flow as -modesetting though, so we can still go
+ahead.
+
+v2: Mention -amdgpu (Michel)
+
+Cc: Keith Packard <keithp@keithp.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181129094226.30591-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_internal.h |    2 ++
+ drivers/gpu/drm/drm_lease.c    |    2 +-
+ drivers/gpu/drm/drm_sysfs.c    |   10 ++++++++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_internal.h
++++ b/drivers/gpu/drm/drm_internal.h
+@@ -99,6 +99,8 @@ struct device *drm_sysfs_minor_alloc(str
+ int drm_sysfs_connector_add(struct drm_connector *connector);
+ void drm_sysfs_connector_remove(struct drm_connector *connector);
++void drm_sysfs_lease_event(struct drm_device *dev);
++
+ /* drm_gem.c */
+ int drm_gem_init(struct drm_device *dev);
+ void drm_gem_destroy(struct drm_device *dev);
+--- a/drivers/gpu/drm/drm_lease.c
++++ b/drivers/gpu/drm/drm_lease.c
+@@ -296,7 +296,7 @@ void drm_lease_destroy(struct drm_master
+       if (master->lessor) {
+               /* Tell the master to check the lessee list */
+-              drm_sysfs_hotplug_event(dev);
++              drm_sysfs_lease_event(dev);
+               drm_master_put(&master->lessor);
+       }
+--- a/drivers/gpu/drm/drm_sysfs.c
++++ b/drivers/gpu/drm/drm_sysfs.c
+@@ -301,6 +301,16 @@ void drm_sysfs_connector_remove(struct d
+       connector->kdev = NULL;
+ }
++void drm_sysfs_lease_event(struct drm_device *dev)
++{
++      char *event_string = "LEASE=1";
++      char *envp[] = { event_string, NULL };
++
++      DRM_DEBUG("generating lease event\n");
++
++      kobject_uevent_env(&dev->primary->kdev->kobj, KOBJ_CHANGE, envp);
++}
++
+ /**
+  * drm_sysfs_hotplug_event - generate a DRM uevent
+  * @dev: DRM device
diff --git a/queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch b/queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch
new file mode 100644 (file)
index 0000000..1cc1ffe
--- /dev/null
@@ -0,0 +1,71 @@
+From 2189463dba3eac10d7264a40ede12fc1a3c06fb1 Mon Sep 17 00:00:00 2001
+From: Robert Foss <robert.foss@collabora.com>
+Date: Mon, 5 Nov 2018 11:13:12 +0100
+Subject: drm/msm: Move fence put to where failure occurs
+
+From: Robert Foss <robert.foss@collabora.com>
+
+commit 2189463dba3eac10d7264a40ede12fc1a3c06fb1 upstream.
+
+If dma_fence_wait fails to wait for a supplied in-fence in
+msm_ioctl_gem_submit, make sure we release that in-fence.
+
+Also remove this dma_fence_put() from the 'out' label.
+
+Signed-off-by: Robert Foss <robert.foss@collabora.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c |   15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -410,7 +410,6 @@ int msm_ioctl_gem_submit(struct drm_devi
+       struct msm_file_private *ctx = file->driver_priv;
+       struct msm_gem_submit *submit;
+       struct msm_gpu *gpu = priv->gpu;
+-      struct dma_fence *in_fence = NULL;
+       struct sync_file *sync_file = NULL;
+       struct msm_gpu_submitqueue *queue;
+       struct msm_ringbuffer *ring;
+@@ -443,6 +442,8 @@ int msm_ioctl_gem_submit(struct drm_devi
+       ring = gpu->rb[queue->prio];
+       if (args->flags & MSM_SUBMIT_FENCE_FD_IN) {
++              struct dma_fence *in_fence;
++
+               in_fence = sync_file_get_fence(args->fence_fd);
+               if (!in_fence)
+@@ -452,11 +453,13 @@ int msm_ioctl_gem_submit(struct drm_devi
+                * Wait if the fence is from a foreign context, or if the fence
+                * array contains any fence from a foreign context.
+                */
+-              if (!dma_fence_match_context(in_fence, ring->fctx->context)) {
++              ret = 0;
++              if (!dma_fence_match_context(in_fence, ring->fctx->context))
+                       ret = dma_fence_wait(in_fence, true);
+-                      if (ret)
+-                              return ret;
+-              }
++
++              dma_fence_put(in_fence);
++              if (ret)
++                      return ret;
+       }
+       ret = mutex_lock_interruptible(&dev->struct_mutex);
+@@ -582,8 +585,6 @@ int msm_ioctl_gem_submit(struct drm_devi
+       }
+ out:
+-      if (in_fence)
+-              dma_fence_put(in_fence);
+       submit_cleanup(submit);
+       if (ret)
+               msm_gem_submit_free(submit);
diff --git a/queue-4.19/gnss-sirf-fix-activation-retry-handling.patch b/queue-4.19/gnss-sirf-fix-activation-retry-handling.patch
new file mode 100644 (file)
index 0000000..652ac8e
--- /dev/null
@@ -0,0 +1,47 @@
+From 06fd9ab12b804451b14d538adbf98a57c2d6846b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 5 Dec 2018 11:21:49 +0100
+Subject: gnss: sirf: fix activation retry handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 06fd9ab12b804451b14d538adbf98a57c2d6846b upstream.
+
+Fix activation helper which would return -ETIMEDOUT even if the last
+retry attempt was successful.
+
+Also change the semantics of the retries variable so that it actually
+holds the number of retries (rather than tries).
+
+Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers")
+Cc: stable <stable@vger.kernel.org>    # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gnss/sirf.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gnss/sirf.c
++++ b/drivers/gnss/sirf.c
+@@ -168,7 +168,7 @@ static int sirf_set_active(struct sirf_d
+       else
+               timeout = SIRF_HIBERNATE_TIMEOUT;
+-      while (retries-- > 0) {
++      do {
+               sirf_pulse_on_off(data);
+               ret = sirf_wait_for_power_state(data, active, timeout);
+               if (ret < 0) {
+@@ -179,9 +179,9 @@ static int sirf_set_active(struct sirf_d
+               }
+               break;
+-      }
++      } while (retries--);
+-      if (retries == 0)
++      if (retries < 0)
+               return -ETIMEDOUT;
+       return 0;
diff --git a/queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch b/queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
new file mode 100644 (file)
index 0000000..6f0aaf1
--- /dev/null
@@ -0,0 +1,82 @@
+From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul@gmail.com>
+Date: Wed, 17 Oct 2018 23:08:38 +0800
+Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
+
+From: Macpaul Lin <macpaul@gmail.com>
+
+commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
+
+This patch is trying to fix KE issue due to
+"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
+reported by Syzkaller scan."
+
+[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
+[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
+[26364:syz-executor0]Call trace:
+[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
+[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
+[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
+[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
+[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
+[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
+[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
+[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
+[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
+[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
+[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
+[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
+[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
+[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
+[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
+[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
+[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]Memory state around the buggy address:
+[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+[26364:syz-executor0][name:report&]                                       ^
+[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
+[26364:syz-executor0]------------[cut here]------------
+
+After checking the source code, we've found there might be an out-of-bounds
+access to "config[len - 1]" array when the variable "len" is zero.
+
+Signed-off-by: Macpaul Lin <macpaul@gmail.com>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/kgdboc.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -230,7 +230,7 @@ static void kgdboc_put_char(u8 chr)
+ static int param_set_kgdboc_var(const char *kmessage,
+                               const struct kernel_param *kp)
+ {
+-      int len = strlen(kmessage);
++      size_t len = strlen(kmessage);
+       if (len >= MAX_CONFIG_LEN) {
+               printk(KERN_ERR "kgdboc: config string too long\n");
+@@ -252,7 +252,7 @@ static int param_set_kgdboc_var(const ch
+       strcpy(config, kmessage);
+       /* Chop out \n char as a result of echo */
+-      if (config[len - 1] == '\n')
++      if (len && config[len - 1] == '\n')
+               config[len - 1] = '\0';
+       if (configured == 1)
diff --git a/queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch b/queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch
new file mode 100644 (file)
index 0000000..bcab942
--- /dev/null
@@ -0,0 +1,92 @@
+From 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 24 Aug 2018 02:16:12 +0900
+Subject: kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative instruction
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 upstream.
+
+After copy_optimized_instructions() copies several instructions
+to the working buffer it tries to fix up the real RIP address, but it
+adjusts the RIP-relative instruction with an incorrect RIP address
+for the 2nd and subsequent instructions due to a bug in the logic.
+
+This will break the kernel pretty badly (with likely outcomes such as
+a kernel freeze, a crash, or worse) because probed instructions can refer
+to the wrong data.
+
+For example putting kprobes on cpumask_next() typically hits this bug.
+
+cpumask_next() is normally like below if CONFIG_CPUMASK_OFFSTACK=y
+(in this case nr_cpumask_bits is an alias of nr_cpu_ids):
+
+ <cpumask_next>:
+       48 89 f0                mov    %rsi,%rax
+       8b 35 7b fb e2 00       mov    0xe2fb7b(%rip),%esi # ffffffff82db9e64 <nr_cpu_ids>
+       55                      push   %rbp
+...
+
+If we put a kprobe on it and it gets jump-optimized, it gets
+patched by the kprobes code like this:
+
+ <cpumask_next>:
+       e9 95 7d 07 1e          jmpq   0xffffffffa000207a
+       7b fb                   jnp    0xffffffff81f8a2e2 <cpumask_next+2>
+       e2 00                   loop   0xffffffff81f8a2e9 <cpumask_next+9>
+       55                      push   %rbp
+
+This shows that the first two MOV instructions were copied to a
+trampoline buffer at 0xffffffffa000207a.
+
+Here is the disassembled result of the trampoline, skipping
+the optprobe template instructions:
+
+       # Dump of assembly code from 0xffffffffa000207a to 0xffffffffa00020ea:
+
+       54                      push   %rsp
+       ...
+       48 83 c4 08             add    $0x8,%rsp
+       9d                      popfq
+       48 89 f0                mov    %rsi,%rax
+       8b 35 82 7d db e2       mov    -0x1d24827e(%rip),%esi # 0xffffffff82db9e67 <nr_cpu_ids+3>
+
+This dump shows that the second MOV accesses *(nr_cpu_ids+3) instead of
+the original *nr_cpu_ids. This leads to a kernel freeze because
+cpumask_next() always returns 0 and for_each_cpu() never ends.
+
+Fix this by adding 'len' correctly to the real RIP address while
+copying.
+
+[ mingo: Improved the changelog. ]
+
+Reported-by: Michael Rodin <michael@rodin.online>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # v4.15+
+Fixes: 63fef14fc98a ("kprobes/x86: Make insn buffer always ROX and use text_poke()")
+Link: http://lkml.kernel.org/r/153504457253.22602.1314289671019919596.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/opt.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/kprobes/opt.c
++++ b/arch/x86/kernel/kprobes/opt.c
+@@ -189,7 +189,7 @@ static int copy_optimized_instructions(u
+       int len = 0, ret;
+       while (len < RELATIVEJUMP_SIZE) {
+-              ret = __copy_instruction(dest + len, src + len, real, &insn);
++              ret = __copy_instruction(dest + len, src + len, real + len, &insn);
+               if (!ret || !can_boost(&insn, src + len))
+                       return -EINVAL;
+               len += ret;
diff --git a/queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch b/queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch
new file mode 100644 (file)
index 0000000..6d7548f
--- /dev/null
@@ -0,0 +1,194 @@
+From ae86cbfef3818300f1972e52f67a93211acb0e24 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 24 Nov 2018 10:47:04 -0800
+Subject: libnvdimm, pfn: Pad pfn namespaces relative to other regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit ae86cbfef3818300f1972e52f67a93211acb0e24 upstream.
+
+Commit cfe30b872058 "libnvdimm, pmem: adjust for section collisions with
+'System RAM'" enabled Linux to workaround occasions where platform
+firmware arranges for "System RAM" and "Persistent Memory" to collide
+within a single section boundary. Unfortunately, as reported in this
+issue [1], platform firmware can inflict the same collision between
+persistent memory regions.
+
+The approach of interrogating iomem_resource does not work in this
+case because platform firmware may merge multiple regions into a single
+iomem_resource range. Instead provide a method to interrogate regions
+that share the same parent bus.
+
+This is a stop-gap until the core-MM can grow support for hotplug on
+sub-section boundaries.
+
+[1]: https://github.com/pmem/ndctl/issues/76
+
+Fixes: cfe30b872058 ("libnvdimm, pmem: adjust for section collisions with...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Patrick Geary <patrickg@supermicro.com>
+Tested-by: Patrick Geary <patrickg@supermicro.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/nd-core.h     |    2 +
+ drivers/nvdimm/pfn_devs.c    |   64 ++++++++++++++++++++++++-------------------
+ drivers/nvdimm/region_devs.c |   41 +++++++++++++++++++++++++++
+ 3 files changed, 80 insertions(+), 27 deletions(-)
+
+--- a/drivers/nvdimm/nd-core.h
++++ b/drivers/nvdimm/nd-core.h
+@@ -112,6 +112,8 @@ resource_size_t nd_pmem_available_dpa(st
+               struct nd_mapping *nd_mapping, resource_size_t *overlap);
+ resource_size_t nd_blk_available_dpa(struct nd_region *nd_region);
+ resource_size_t nd_region_available_dpa(struct nd_region *nd_region);
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++              resource_size_t size);
+ resource_size_t nvdimm_allocated_dpa(struct nvdimm_drvdata *ndd,
+               struct nd_label_id *label_id);
+ int alias_dpa_busy(struct device *dev, void *data);
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -590,14 +590,47 @@ static u64 phys_pmem_align_down(struct n
+                       ALIGN_DOWN(phys, nd_pfn->align));
+ }
++/*
++ * Check if pmem collides with 'System RAM', or other regions when
++ * section aligned.  Trim it accordingly.
++ */
++static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trunc)
++{
++      struct nd_namespace_common *ndns = nd_pfn->ndns;
++      struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
++      struct nd_region *nd_region = to_nd_region(nd_pfn->dev.parent);
++      const resource_size_t start = nsio->res.start;
++      const resource_size_t end = start + resource_size(&nsio->res);
++      resource_size_t adjust, size;
++
++      *start_pad = 0;
++      *end_trunc = 0;
++
++      adjust = start - PHYS_SECTION_ALIGN_DOWN(start);
++      size = resource_size(&nsio->res) + adjust;
++      if (region_intersects(start - adjust, size, IORESOURCE_SYSTEM_RAM,
++                              IORES_DESC_NONE) == REGION_MIXED
++                      || nd_region_conflict(nd_region, start - adjust, size))
++              *start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
++
++      /* Now check that end of the range does not collide. */
++      adjust = PHYS_SECTION_ALIGN_UP(end) - end;
++      size = resource_size(&nsio->res) + adjust;
++      if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
++                              IORES_DESC_NONE) == REGION_MIXED
++                      || !IS_ALIGNED(end, nd_pfn->align)
++                      || nd_region_conflict(nd_region, start, size + adjust))
++              *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
++}
++
+ static int nd_pfn_init(struct nd_pfn *nd_pfn)
+ {
+       u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0;
+       struct nd_namespace_common *ndns = nd_pfn->ndns;
+-      u32 start_pad = 0, end_trunc = 0;
++      struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
+       resource_size_t start, size;
+-      struct nd_namespace_io *nsio;
+       struct nd_region *nd_region;
++      u32 start_pad, end_trunc;
+       struct nd_pfn_sb *pfn_sb;
+       unsigned long npfns;
+       phys_addr_t offset;
+@@ -629,30 +662,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+       memset(pfn_sb, 0, sizeof(*pfn_sb));
+-      /*
+-       * Check if pmem collides with 'System RAM' when section aligned and
+-       * trim it accordingly
+-       */
+-      nsio = to_nd_namespace_io(&ndns->dev);
+-      start = PHYS_SECTION_ALIGN_DOWN(nsio->res.start);
+-      size = resource_size(&nsio->res);
+-      if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+-                              IORES_DESC_NONE) == REGION_MIXED) {
+-              start = nsio->res.start;
+-              start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
+-      }
+-
+-      start = nsio->res.start;
+-      size = PHYS_SECTION_ALIGN_UP(start + size) - start;
+-      if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+-                              IORES_DESC_NONE) == REGION_MIXED
+-                      || !IS_ALIGNED(start + resource_size(&nsio->res),
+-                              nd_pfn->align)) {
+-              size = resource_size(&nsio->res);
+-              end_trunc = start + size - phys_pmem_align_down(nd_pfn,
+-                              start + size);
+-      }
+-
++      trim_pfn_device(nd_pfn, &start_pad, &end_trunc);
+       if (start_pad + end_trunc)
+               dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n",
+                               dev_name(&ndns->dev), start_pad + end_trunc);
+@@ -663,7 +673,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+        * implementation will limit the pfns advertised through
+        * ->direct_access() to those that are included in the memmap.
+        */
+-      start += start_pad;
++      start = nsio->res.start + start_pad;
+       size = resource_size(&nsio->res);
+       npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K)
+                       / PAGE_SIZE);
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -1184,6 +1184,47 @@ int nvdimm_has_cache(struct nd_region *n
+ }
+ EXPORT_SYMBOL_GPL(nvdimm_has_cache);
++struct conflict_context {
++      struct nd_region *nd_region;
++      resource_size_t start, size;
++};
++
++static int region_conflict(struct device *dev, void *data)
++{
++      struct nd_region *nd_region;
++      struct conflict_context *ctx = data;
++      resource_size_t res_end, region_end, region_start;
++
++      if (!is_memory(dev))
++              return 0;
++
++      nd_region = to_nd_region(dev);
++      if (nd_region == ctx->nd_region)
++              return 0;
++
++      res_end = ctx->start + ctx->size;
++      region_start = nd_region->ndr_start;
++      region_end = region_start + nd_region->ndr_size;
++      if (ctx->start >= region_start && ctx->start < region_end)
++              return -EBUSY;
++      if (res_end > region_start && res_end <= region_end)
++              return -EBUSY;
++      return 0;
++}
++
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++              resource_size_t size)
++{
++      struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nd_region->dev);
++      struct conflict_context ctx = {
++              .nd_region = nd_region,
++              .start = start,
++              .size = size,
++      };
++
++      return device_for_each_child(&nvdimm_bus->dev, &ctx, region_conflict);
++}
++
+ void __exit nd_region_devs_exit(void)
+ {
+       ida_destroy(&region_ida);
diff --git a/queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch b/queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
new file mode 100644 (file)
index 0000000..e2d6bb0
--- /dev/null
@@ -0,0 +1,43 @@
+From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Tue, 23 Oct 2018 13:36:52 -0700
+Subject: mac80211: Clear beacon_int in ieee80211_do_stop
+
+From: Ben Greear <greearb@candelatech.com>
+
+commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream.
+
+This fixes stale beacon-int values that would keep a netdev
+from going up.
+
+To reproduce:
+
+Create two VAP on one radio.
+vap1 has beacon-int 100, start it.
+vap2 has beacon-int 240, start it (and it will fail
+  because beacon-int mismatch).
+reconfigure vap2 to have beacon-int 100 and start it.
+  It will fail because the stale beacon-int 240 will be used
+  in the ifup path and hostapd never gets a chance to set the
+  new beacon interval.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1015,6 +1015,8 @@ static void ieee80211_do_stop(struct iee
+       if (local->open_count == 0)
+               ieee80211_clear_tx_pending(local);
++      sdata->vif.bss_conf.beacon_int = 0;
++
+       /*
+        * If the interface goes down while suspended, presumably because
+        * the device was unplugged and that happens before our resume,
diff --git a/queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch b/queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch
new file mode 100644 (file)
index 0000000..0c209a2
--- /dev/null
@@ -0,0 +1,44 @@
+From c752cac9db1b0c469db7ba9d17af4ba708984db5 Mon Sep 17 00:00:00 2001
+From: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Date: Tue, 23 Oct 2018 11:24:44 +0800
+Subject: mac80211: fix GFP_KERNEL under tasklet context
+
+From: Yan-Hsuan Chuang <yhchuang@realtek.com>
+
+commit c752cac9db1b0c469db7ba9d17af4ba708984db5 upstream.
+
+cfg80211_sta_opmode_change_notify needs a gfp_t flag to hint the nl80211
+stack when allocating new skb, but it is called under tasklet context
+here with GFP_KERNEL and kernel will yield a warning about it.
+
+Cc: stable@vger.kernel.org
+Fixes: ff84e7bfe176 ("mac80211: Add support to notify ht/vht opmode modification.")
+Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
+ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3029,7 +3029,7 @@ ieee80211_rx_h_action(struct ieee80211_r
+                       cfg80211_sta_opmode_change_notify(sdata->dev,
+                                                         rx->sta->addr,
+                                                         &sta_opmode,
+-                                                        GFP_KERNEL);
++                                                        GFP_ATOMIC);
+                       goto handled;
+               }
+               case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
+@@ -3066,7 +3066,7 @@ ieee80211_rx_h_action(struct ieee80211_r
+                       cfg80211_sta_opmode_change_notify(sdata->dev,
+                                                         rx->sta->addr,
+                                                         &sta_opmode,
+-                                                        GFP_KERNEL);
++                                                        GFP_ATOMIC);
+                       goto handled;
+               }
+               default:
diff --git a/queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch b/queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch
new file mode 100644 (file)
index 0000000..6b41ae9
--- /dev/null
@@ -0,0 +1,38 @@
+From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Nov 2018 22:39:16 +0100
+Subject: mac80211: fix reordering of buffered broadcast packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.
+
+If the buffered broadcast queue contains packets, letting new packets bypass
+that queue can lead to heavy reordering, since the driver is probably throttling
+transmission of buffered multicast packets after beacons.
+
+Keep buffering packets until the buffer has been cleared (and no client
+is in powersave mode).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -439,8 +439,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+       if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
+               info->hw_queue = tx->sdata->vif.cab_queue;
+-      /* no stations in PS mode */
+-      if (!atomic_read(&ps->num_sta_ps))
++      /* no stations in PS mode and no buffered packets */
++      if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
+               return TX_CONTINUE;
+       info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
diff --git a/queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch b/queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
new file mode 100644 (file)
index 0000000..ccd8a04
--- /dev/null
@@ -0,0 +1,44 @@
+From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 3 Dec 2018 21:16:07 +0200
+Subject: mac80211: ignore NullFunc frames in the duplicate detection
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream.
+
+NullFunc packets should never be duplicate just like
+QoS-NullFunc packets.
+
+We saw a client that enters / exits power save with
+NullFunc frames (and not with QoS-NullFunc) despite the
+fact that the association supports HT.
+This specific client also re-uses a non-zero sequence number
+for different NullFunc frames.
+At some point, the client had to send a retransmission of
+the NullFunc frame and we dropped it, leading to a
+misalignment in the power save state.
+Fix this by never consider a NullFunc frame as duplicate,
+just like we do for QoS NullFunc frames.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
+
+CC: <stable@vger.kernel.org>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1372,6 +1372,7 @@ ieee80211_rx_h_check_dup(struct ieee8021
+               return RX_CONTINUE;
+       if (ieee80211_is_ctl(hdr->frame_control) ||
++          ieee80211_is_nullfunc(hdr->frame_control) ||
+           ieee80211_is_qos_nullfunc(hdr->frame_control) ||
+           is_multicast_ether_addr(hdr->addr1))
+               return RX_CONTINUE;
diff --git a/queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch b/queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
new file mode 100644 (file)
index 0000000..043564e
--- /dev/null
@@ -0,0 +1,35 @@
+From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 13 Nov 2018 20:32:13 +0100
+Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a317e65face482371de30246b6494feb093ff7f9 upstream.
+
+Make it behave like regular ieee80211_tx_status calls, except for the lack of
+filtered frame processing.
+This fixes spurious low-ack triggered disconnections with powersave clients
+connected to an AP.
+
+Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/status.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -964,6 +964,8 @@ void ieee80211_tx_status_ext(struct ieee
+                       /* Track when last TDLS packet was ACKed */
+                       if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
+                               sta->status_stats.last_tdls_pkt_time = jiffies;
++              } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
++                      return;
+               } else {
+                       ieee80211_lost_packet(sta, info);
+               }
diff --git a/queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch b/queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
new file mode 100644 (file)
index 0000000..427779c
--- /dev/null
@@ -0,0 +1,54 @@
+From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Date: Thu, 18 Oct 2018 01:02:12 +0300
+Subject: mac80211_hwsim: Timer should be initialized before device registered
+
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+
+commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
+
+Otherwise if network manager starts configuring Wi-Fi interface
+immidiatelly after getting notification of its creation, we will get
+NULL pointer dereference:
+
+  BUG: unable to handle kernel NULL pointer dereference at           (null)
+  IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
+  ...
+  Call Trace:
+   [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
+   [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
+   [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2889,6 +2889,10 @@ static int mac80211_hwsim_new_radio(stru
+       wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST);
++      tasklet_hrtimer_init(&data->beacon_timer,
++                           mac80211_hwsim_beacon,
++                           CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
++
+       err = ieee80211_register_hw(hw);
+       if (err < 0) {
+               pr_debug("mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
+@@ -2913,10 +2917,6 @@ static int mac80211_hwsim_new_radio(stru
+                                   data->debugfs,
+                                   data, &hwsim_simulate_radar);
+-      tasklet_hrtimer_init(&data->beacon_timer,
+-                           mac80211_hwsim_beacon,
+-                           CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+-
+       spin_lock_bh(&hwsim_radio_lock);
+       err = rhashtable_insert_fast(&hwsim_radios_rht, &data->rht,
+                                    hwsim_rht_params);
diff --git a/queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch b/queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch
new file mode 100644 (file)
index 0000000..49ddec8
--- /dev/null
@@ -0,0 +1,33 @@
+From 87e4a5405f087427fbf8b437d2796283dce2b38f Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Tue, 27 Nov 2018 09:12:20 +0000
+Subject: Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c"
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 87e4a5405f087427fbf8b437d2796283dce2b38f upstream.
+
+pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either
+set in _rtw_init_sta_priv() or rtw_set_beacon().
+
+Fixes: ef9209b642f1 ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -1566,7 +1566,7 @@ unsigned int OnAssocReq(struct adapter *
+       if (pstat->aid > 0) {
+               DBG_871X("  old AID %d\n", pstat->aid);
+       } else {
+-              for (pstat->aid = 1; pstat->aid < NUM_STA; pstat->aid++)
++              for (pstat->aid = 1; pstat->aid <= NUM_STA; pstat->aid++)
+                       if (pstapriv->sta_aid[pstat->aid - 1] == NULL)
+                               break;
index 1ea94c5a2566b960592deab7551903a1077a663b..c01e56effaaf8ad822a0e868b256bf1b6c3d4f6f 100644 (file)
@@ -90,3 +90,28 @@ xhci-workaround-css-timeout-on-amd-snps-3.0-xhc.patch
 xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
 arm64-dts-rockchip-remove-vdd_log-from-rock960-to-fi.patch
 revert-x86-e820-put-e820_type_ram-regions-into-membl.patch
+cifs-fix-separator-when-building-path-from-dentry.patch
+staging-rtl8712-fix-possible-buffer-overrun.patch
+revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch
+crypto-do-not-free-algorithm-before-using.patch
+drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch
+drm-lease-send-a-distinct-uevent.patch
+drm-msm-move-fence-put-to-where-failure-occurs.patch
+drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch
+drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch
+drm-i915-downgrade-gen9-plane-wm-latency-error.patch
+kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch
+x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch
+drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch
+tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
+tty-do-not-set-tty_io_error-flag-if-console-port.patch
+gnss-sirf-fix-activation-retry-handling.patch
+kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
+libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch
+cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch
+mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
+mac80211-fix-gfp_kernel-under-tasklet-context.patch
+mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
+mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
+mac80211-fix-reordering-of-buffered-broadcast-packets.patch
+mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
diff --git a/queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch b/queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch
new file mode 100644 (file)
index 0000000..3333bb2
--- /dev/null
@@ -0,0 +1,47 @@
+From 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Wed, 28 Nov 2018 08:06:53 +0000
+Subject: staging: rtl8712: Fix possible buffer overrun
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream.
+
+In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
+overrun") we fix a potential off by one by making the limit smaller.
+The better fix is to make the buffer larger.  This makes it match up
+with the similar code in other drivers.
+
+Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/mlme_linux.c   |    2 +-
+ drivers/staging/rtl8712/rtl871x_mlme.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8712/mlme_linux.c
++++ b/drivers/staging/rtl8712/mlme_linux.c
+@@ -158,7 +158,7 @@ void r8712_report_sec_ie(struct _adapter
+               p = buff;
+               p += sprintf(p, "ASSOCINFO(ReqIEs=");
+               len = sec_ie[1] + 2;
+-              len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
++              len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
+               for (i = 0; i < len; i++)
+                       p += sprintf(p, "%02x", sec_ie[i]);
+               p += sprintf(p, ")");
+--- a/drivers/staging/rtl8712/rtl871x_mlme.c
++++ b/drivers/staging/rtl8712/rtl871x_mlme.c
+@@ -1358,7 +1358,7 @@ sint r8712_restruct_sec_ie(struct _adapt
+                    u8 *out_ie, uint in_len)
+ {
+       u8 authmode = 0, match;
+-      u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
++      u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
+       u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
+       uint ielength, cnt, remove_cnt;
+       int iEntry;
diff --git a/queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch b/queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch
new file mode 100644 (file)
index 0000000..6d9654c
--- /dev/null
@@ -0,0 +1,55 @@
+From 2a48602615e0a2f563549c7d5c8d507f904cf96e Mon Sep 17 00:00:00 2001
+From: Chanho Park <parkch98@gmail.com>
+Date: Thu, 22 Nov 2018 18:23:47 +0900
+Subject: tty: do not set TTY_IO_ERROR flag if console port
+
+From: Chanho Park <parkch98@gmail.com>
+
+commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.
+
+Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use
+tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial
+console crash on port shutdown), a serial port which is used as
+console can be stuck when logging out if there is a remained process.
+After logged out, agetty will try to grab the serial port but it will
+be failed because the previous process did not release the port
+correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
+tty_port_close if the port is console port.
+
+Reproduce step:
+- Run background processes from serial console
+$ while true; do sleep 10; done &
+
+- Log out
+$ logout
+-> Stuck
+
+- Read journal log by journalctl | tail
+Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
+Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
+Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
+
+Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Chanho Park <parkch98@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_port.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -640,7 +640,8 @@ void tty_port_close(struct tty_port *por
+       if (tty_port_close_start(port, tty, filp) == 0)
+               return;
+       tty_port_shutdown(port, tty);
+-      set_bit(TTY_IO_ERROR, &tty->flags);
++      if (!port->console)
++              set_bit(TTY_IO_ERROR, &tty->flags);
+       tty_port_close_end(port, tty);
+       tty_port_tty_set(port, NULL);
+ }
diff --git a/queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch b/queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
new file mode 100644 (file)
index 0000000..a2b3d1e
--- /dev/null
@@ -0,0 +1,69 @@
+From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001
+From: Peter Shih <pihsun@chromium.org>
+Date: Tue, 27 Nov 2018 12:49:50 +0800
+Subject: tty: serial: 8250_mtk: always resume the device in probe.
+
+From: Peter Shih <pihsun@chromium.org>
+
+commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
+
+serial8250_register_8250_port calls uart_config_port, which calls
+config_port on the port before it tries to power on the port. So we need
+the port to be on before calling serial8250_register_8250_port. Change
+the code to always do a runtime resume in probe before registering port,
+and always do a runtime suspend in remove.
+
+This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
+8250_mtk: use pm_runtime callbacks for enabling"), but still use
+pm_runtime callbacks.
+
+Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
+Signed-off-by: Peter Shih <pihsun@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mtk.c |   16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_mtk.c
++++ b/drivers/tty/serial/8250/8250_mtk.c
+@@ -213,17 +213,17 @@ static int mtk8250_probe(struct platform
+       platform_set_drvdata(pdev, data);
+-      pm_runtime_enable(&pdev->dev);
+-      if (!pm_runtime_enabled(&pdev->dev)) {
+-              err = mtk8250_runtime_resume(&pdev->dev);
+-              if (err)
+-                      return err;
+-      }
++      err = mtk8250_runtime_resume(&pdev->dev);
++      if (err)
++              return err;
+       data->line = serial8250_register_8250_port(&uart);
+       if (data->line < 0)
+               return data->line;
++      pm_runtime_set_active(&pdev->dev);
++      pm_runtime_enable(&pdev->dev);
++
+       return 0;
+ }
+@@ -234,13 +234,11 @@ static int mtk8250_remove(struct platfor
+       pm_runtime_get_sync(&pdev->dev);
+       serial8250_unregister_port(data->line);
++      mtk8250_runtime_suspend(&pdev->dev);
+       pm_runtime_disable(&pdev->dev);
+       pm_runtime_put_noidle(&pdev->dev);
+-      if (!pm_runtime_status_suspended(&pdev->dev))
+-              mtk8250_runtime_suspend(&pdev->dev);
+-
+       return 0;
+ }
diff --git a/queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch b/queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch
new file mode 100644 (file)
index 0000000..d36e151
--- /dev/null
@@ -0,0 +1,179 @@
+From b84a64fad40637b1c9fa4f4dbf847a23e29e672b Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Thu, 29 Nov 2018 18:12:20 +0100
+Subject: x86/efi: Allocate e820 buffer before calling efi_exit_boot_service
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+commit b84a64fad40637b1c9fa4f4dbf847a23e29e672b upstream.
+
+The following commit:
+
+  d64934019f6c ("x86/efi: Use efi_exit_boot_services()")
+
+introduced a regression on systems with large memory maps causing them
+to hang on boot. The first "goto get_map" that was removed from
+exit_boot() ensured there was enough room for the memory map when
+efi_call_early(exit_boot_services) was called. This happens when
+(nr_desc > ARRAY_SIZE(params->e820_table).
+
+Chain of events:
+
+  exit_boot()
+    efi_exit_boot_services()
+      efi_get_memory_map                  <- at this point the mm can't grow over 8 desc
+      priv_func()
+        exit_boot_func()
+          allocate_e820ext()              <- new mm grows over 8 desc from e820 alloc
+      efi_call_early(exit_boot_services)  <- mm key doesn't match so retry
+      efi_call_early(get_memory_map)      <- not enough room for new mm
+      system hangs
+
+This patch allocates the e820 buffer before calling efi_exit_boot_services()
+and fixes the regression.
+
+ [ mingo: minor cleanliness edits. ]
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: <stable@vger.kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: YiFei Zhu <zhuyifei1999@gmail.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/eboot.c |   65 ++++++++++++++++++++++++---------------
+ 1 file changed, 41 insertions(+), 24 deletions(-)
+
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1,3 +1,4 @@
++
+ /* -----------------------------------------------------------------------
+  *
+  *   Copyright 2011 Intel Corporation; author Matt Fleming
+@@ -634,37 +635,54 @@ static efi_status_t alloc_e820ext(u32 nr
+       return status;
+ }
++static efi_status_t allocate_e820(struct boot_params *params,
++                                struct setup_data **e820ext,
++                                u32 *e820ext_size)
++{
++      unsigned long map_size, desc_size, buff_size;
++      struct efi_boot_memmap boot_map;
++      efi_memory_desc_t *map;
++      efi_status_t status;
++      __u32 nr_desc;
++
++      boot_map.map            = &map;
++      boot_map.map_size       = &map_size;
++      boot_map.desc_size      = &desc_size;
++      boot_map.desc_ver       = NULL;
++      boot_map.key_ptr        = NULL;
++      boot_map.buff_size      = &buff_size;
++
++      status = efi_get_memory_map(sys_table, &boot_map);
++      if (status != EFI_SUCCESS)
++              return status;
++
++      nr_desc = buff_size / desc_size;
++
++      if (nr_desc > ARRAY_SIZE(params->e820_table)) {
++              u32 nr_e820ext = nr_desc - ARRAY_SIZE(params->e820_table);
++
++              status = alloc_e820ext(nr_e820ext, e820ext, e820ext_size);
++              if (status != EFI_SUCCESS)
++                      return status;
++      }
++
++      return EFI_SUCCESS;
++}
++
+ struct exit_boot_struct {
+       struct boot_params      *boot_params;
+       struct efi_info         *efi;
+-      struct setup_data       *e820ext;
+-      __u32                   e820ext_size;
+ };
+ static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
+                                  struct efi_boot_memmap *map,
+                                  void *priv)
+ {
+-      static bool first = true;
+       const char *signature;
+       __u32 nr_desc;
+       efi_status_t status;
+       struct exit_boot_struct *p = priv;
+-      if (first) {
+-              nr_desc = *map->buff_size / *map->desc_size;
+-              if (nr_desc > ARRAY_SIZE(p->boot_params->e820_table)) {
+-                      u32 nr_e820ext = nr_desc -
+-                                      ARRAY_SIZE(p->boot_params->e820_table);
+-
+-                      status = alloc_e820ext(nr_e820ext, &p->e820ext,
+-                                             &p->e820ext_size);
+-                      if (status != EFI_SUCCESS)
+-                              return status;
+-              }
+-              first = false;
+-      }
+-
+       signature = efi_is_64bit() ? EFI64_LOADER_SIGNATURE
+                                  : EFI32_LOADER_SIGNATURE;
+       memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32));
+@@ -687,8 +705,8 @@ static efi_status_t exit_boot(struct boo
+ {
+       unsigned long map_sz, key, desc_size, buff_size;
+       efi_memory_desc_t *mem_map;
+-      struct setup_data *e820ext;
+-      __u32 e820ext_size;
++      struct setup_data *e820ext = NULL;
++      __u32 e820ext_size = 0;
+       efi_status_t status;
+       __u32 desc_version;
+       struct efi_boot_memmap map;
+@@ -702,8 +720,10 @@ static efi_status_t exit_boot(struct boo
+       map.buff_size           = &buff_size;
+       priv.boot_params        = boot_params;
+       priv.efi                = &boot_params->efi_info;
+-      priv.e820ext            = NULL;
+-      priv.e820ext_size       = 0;
++
++      status = allocate_e820(boot_params, &e820ext, &e820ext_size);
++      if (status != EFI_SUCCESS)
++              return status;
+       /* Might as well exit boot services now */
+       status = efi_exit_boot_services(sys_table, handle, &map, &priv,
+@@ -711,9 +731,6 @@ static efi_status_t exit_boot(struct boo
+       if (status != EFI_SUCCESS)
+               return status;
+-      e820ext                 = priv.e820ext;
+-      e820ext_size            = priv.e820ext_size;
+-
+       /* Historic? */
+       boot_params->alt_mem_k  = 32 * 1024;